A long time ago I wrote the first incarnation of this document. I was
aiming at something that would explain sniffers and sniffer technology
to people who are not all that familiar with security (i.e. newbies) as
well as providing a accessible reference to more experienced individuals.

I think that I've stricken a good balance judging from all of the emails
that I received (including a few from some kiddies that were clearly running
sniffers on networks other than theirs).

As time went on, more and more unique and interesting things were being
done with sniffers. I intended on revising this document to reflect these
new changes but I have used every excuse in the book to put off this revision.

A quick note: You (the reader) will no doubtfully realize that there
is no flow to this article. The reason for this is because like I stated
in the above that one of the goals is to also act as a reference for a
more experienced person so by keeping it modular provides the reader with
the ability to read a specific section without having to refer to another
for background reference.

A sniffer is a program that puts a NIC (Network Interface Card), also
known as an Ethernet card, (one of the necessary pieces of hardware to
physically connect computers together) into what is known as promiscuous
mode. Once the network card is set to this mode, it will give the sniffer
program the ability to capture packets being transmitted over the network.
(A quick note: packets are transmitted over the network until they reach
their target host. A sniffer takes advantage of this and captures ALL packets
as they are being transmitted). Some sniffers go about different ways of
capturing packets and this will be described later on in the article.

A standard packet will travel from "your comp" through the network. Each
computer on the network will receive that packet. Starting with "friend
comp", followed by "bad guy" and ending up at "dest comp." Each machine
is supposed to ignore the packet if it is not destined for the IP address
assigned to that computer. However, a sniffer program bends that etiquette
and accepts ANY packet it receives. A sniffer is also known as a network
analyzer. There is no real difference between a network analyzer or a sniffer
but security companies and the Federal government like this name because
it sounds more legitimate and less threatening. The original term for capturing
all packets on a network was called 'Sniffing the Ether' which sounded
like something bad to people not familiar to computers and ethernet. 'Ether'
was a technology term used to describe the land of packets, made up of
cables and network cards and should not be confused with the chemical ethyl
oxide.

III. What Type of an Attack is it?

A sniffer being used on a network to snoop passwords and anything else
is considered to be a passive attack. A passive attack is one that doesn't
directly intrude onto a foreign network or computer. Using a sniffer as
an example, one is set up in hopes of catching desired information including
logins and passwords. On the other hand, an active attack directly interfaces
with a remote machine. Remote buffer overflows, network floods and other
similar attacks fall under the category of an active attack . By nature,
passive attacks are not meant to be discovered by the person(s) being attacked.
At no point should they have indication of your activity. This makes sniffers
just as serious as any active attack.

IV. What a Sniffer is Good For

Sniffers are multifaceted. They are part of any good sysadmin administrator's,
network administrator's, hacker's toolbox. With a sniffer, one can sniff
a network for passwords, emails, confidential documents, and whatever else
might be flying around unencrypted on the given network. You can also map
out a network and establish a understanding of what the network is compromised
of (workstations, servers, routers, switches, network appliances, etc.).
Points of trust can also be discovered this way. Trust within the scope
of a network is that some machines are setup to "trust" other computers
to share resources. Therefore if you are able to gain access to a trusted
box, you can abuse that trust and use it as a springboard into the rest
of the network. By sniffing traffic on hosts close to the target machine,
the likelihood of gaining the vital information needed are increased.

The above paragraph outlines the use of a sniffer which one could only
assume is illegal. This is true but if you happen to have a security position
(like a security consultant or a in-house pen tester), or someone that
is doing this to their own network, it is perfectly legal.

Some more legal ways that sniffers can benefit the people that use them
are things like network mapping. Even though this method was described
as a way exploit a target network, an administrator can map out a network
to update old maps, discover any new systems that might be rogue, use in
conjunction with another software suite to act as a IDS (think Shadow),
to identify any bottlenecks on the network, as well as a few other useful
things.

V. Different Types of Sniffers

Most of the more popular sniffers only monitor one connection at a time.
The reason for this is to make the sniffer harder to detect due to smaller
logs and less use of CPU power. A small number of sniffers monitor all
connections. Often times, looking at the CPU load and file system are the
only ways to detect such sniffers. Intruders are often quick to backdoor
systems so that normal utilities like ps and ifconfig will not provide
reliable output. If you notice your CPU load is higher than normal, or
that every day you lose one more meg of disk space that can't be explained,
it may point to the presence of a sniffer. This type is easier to spot
because their logs will be much larger, they will eat up much more CPU,
but in return it will log much more. On large networks, these sniffers
may generate up to ten megabyte logs a day if set to log all interactive
traffic. Sniffers designed to monitor interactive traffic as well as mail
may grow even faster. Sniffers also have different methods of logging.
Some sniffers will only record the first X (X being a certain number) bytes
of a packet to capture a login/password. The other method will capture
the entire session, which would make it into a key logger. Some of the
more versatile sniffers will support both methods. These will vary depending
on the intruder and the desired end result.

VI. Sniffer Construction

If you are interested in more details on how a sniffer works, there
is an excellent two-part paper by
Chad
Renfro. He details the basic elements of programming a sniffer which
requires a working knowledge of the C programming language. If you understand
Renfro's article well, you should advance on to studying the source code
of sniffers (such as esniff.c).

VII. Popular Sniffers

There are sniffers that are considered to be primarily 'hacker' tools
while the rest of them are considered to be system administration tools.
If you are looking for a sniffer to put into a production environment then
you are going to want to find a sniffer that is actively in production
and is rather mature in its evolution such as tcpdump, ethereal, and snort.

The following is a list with a synopsis of various sniffers available.
I will only list sniffers that are open source and for free . This
is not a complete list but still is a comprehensive one.

ADMsniffThis sniffer was put out by the ADM group. It was authored by antilove
with help from plaguez. The purpose of ADMsniff is supposed to be "portable
and powerful."

AldebaranAldebaran was created by its author after no other sniffer was able
to meet his needs. The author got the name Aldebaran after finding it on
a Enya CD. This sniffer is interesting in the regard that it can operate
in a distributed fashion: an included program (boadicea) in the software
suite can collect data collected captured from various aldebaran sniffers.
The sniffer also has encryption capabilities as well as a kernel module
based off of the Adore module to hide the sniffer.

AltivoreAltivore is a sniffer with just under 1800 lines of C code meant to
be a replacement for the FBI's Carnivore (Now renamed to DCS1000). It could
still stand to have much more improvement. None the less, this makes for
some for a good starting point to learn about sniffers in general as well
as the behavior of programs like Carnivore.

AngerAnger was authored by Aleph One. This sniffer is not a general purpose
sniffer but rather a program that will set out to specifically sniff the
challenge/responce portion of a PPTP (Point to Point Tunneling Protocol)
and then the captured data can be feed into a password cracker.

AngstAngst is described as a sniffer that "provides methods for aggressive
sniffing" by its author Patrok Argyroudis. Angst has the ability to sniff
a switched network. This is a rather new technique and will be described
in a later section of this document.

APSAPS (Advanced Packet Sniffer) was written by Christian Schulte. He
wrote it in an attempt to better understand various popular protocols.

DSniffThis is the king of the hill of all sniffers. Dsniff is very well developed
by Doug Song and is mature in its development. This suite of programs sport
functionality for general sniffing, arp spoofing, dns spoofing, switch
sniffing, and a plethora of other unique and amusing capabilities.

EtherapeEtherape bills itself as a network traffic browser. It is a etherman
clone that uses GNOME for its display interface.

EtherealEthereal is obviously one of the best of breed sniffers out there.
It is being developed as a free commercial strength sniffer. It has many
features, a good interface, the support of a copious amount of popular
protocols, and it is actively being developed and maintained. This is a
sniffer you may want to use if you are searching for one to put into a
production environment.

EttercapEttercap is probably the best sniffer out there targeted for sniffing
switched networks. It has a ncurses interface and the ability to collect
passwords, inject characters, sniff traffic traversing a GRE (Generic Routing
Encryption), and a few more things. Be sure to check this one out because
it is one of the better pieces of software floating out there on the Net.

KsnifferKsniffer, as its name implies, is a sniffer is designed for the
KDE environment. If you are someone that is fond of KDE then this sniffer
should be able to please you.

MaxtyMaxty, coded by IhaQueR, is a sniffer designed to reside in kernel-space
and sniff tty sessions. This is another sniffer whose purpose is a specific
one.

NetdudeNetdude is essentially a advance filter for tcpdump. When a log is
produced by tcpdump using the -t option, you can then feed that log into
Netdude and enjoy a nice GUI (Graphical User Interface) to inspect the
network dump.

NetlNetl is a more fully featured sniffer that sports a rather nice logging
capabilities and a customizable and modular architecture. This would be
ideal for an individual who is looking to experiment with sniffer code
but does not want to code one from scratch.

NetPacketWritten by Tim Potter, NetPacket is a collection of Perl modules that
aid in the disassembling of popular protocols as well as Ethernet frames.
Any Perl monger should look into this.

NgrepNgrep stands for Network Grep. This sniffer has the unique (and very
useful) ability to 'grep' (if you don't know what grep is, it is a Unix
command. For more information on it, issue the command 'man grep' ) network
traffic with specified regular expressions. This was authored by Jordan
Ritter and is one of the better sinffers out there so be sure to check
this one out.

NtopNtop, coded by Luca Deri, is designed to act like the top command(type
'man top' on a *nix system for more information) on a given network to
provide network information and statistics. There have been reports that
this program does not perform very well on a active network.

ParasiteThis was written by the famous van Hauser of the THC. This is another
sniffer that is designed for snifing switches. This would be a good starting
place for someone who wants to study code to learn the ins and outs of
switch sniffing.

PassfingWritten by Crain Smith as proof-of-concept code to demonstrate the theory
that utilizing passive sniffing, someone can then use the collected data
to determine what OSs are available on the network just by identifying
various OS specific idiosyncrasies in packet headers.

PylibpcapThis is a module written in Python that interfaces with libpcap.
If you are a Python coder, you might want to give this one a look. Pylibpcap
was written by AAron L. Rhodes

SiphonThis is another sniffer designed to perform passive OS fingerprinting.
This was authored by bind and aempirei. If my memory serves me correct,
this was the first passive OS fingerprinter made available on the internet.

SmitThis is describes as a "simple ARP sniffer." This is another sniffer
that enables the user to do some sniffing on a switched network. This was
written by IhaQueR.

SnifferThis sniffer is written by Marko Zivanovic, is described as a "script-driven
network traffic monitoring tool", and has a generic name.

SniffitCoded by Brecht Claerhout, Sniffit was intended to ""demonstrate the
unsafeness of TCP." This sniffer is not actively developed or maintained
but the code is still very good and would make for good studying for those
wishing to learn more about sniffers as well as how to use libpcap.

SnmpsniffSnmpsniff is another specific sniffer designed to be a SNMP PDU sniffer.
Snmpsniff was authored by Nuno Leitao. There is no support for SNMP v3
only v1 and v2.

SnortAh, Snort. This is a piece of software that I can not begin to do justice
for. It is a LIDS (lightweight Intrusion Detection System). Snort captures
the entire packet: all the header information as well as the payload. This
is definitely one of the better sniffers out there. It is very well developed
and maintained. It has a huge following and is regarded by many as the
best IDS out there. Snort is something that you have to become familiar
with if you are interested in sniffers or security in general.

SosdSosd is yet another sniffer designed to be a passive OS identifier.

SSLdumpSSLdump is a another specific sniffer whose purpose is to sniff SSLv3/TLS
packets. A note worthy feature is that in the readme file, it says that
if you link ssldump with OpenSSL, you can dump certificates in decoded
form.

TcpdumpWell here is another sniffer that has earned the title of being one
of the best. This sniffer is very mature and well maintained. It is very
easy to use a filter on. There are many great features. This is something
that you have to get if you are interested in sniffers and/or general security.

VIII. Detection & Prevention

If you are in charge of a network's security, you are going to need
to check if someone has installed a sniffer somewhere on the network that
is not supposed to be there. The first way to do this is to get a small
C program called
promisc.c. When compiled, it will
search your local machine for any NICs in promiscuous mode (which was briefly
discussed at the beginning of this text). The C program, neped.c,
will do remote checking for any sniffing activity however it will compile
on Linux only. To search by hand, issue the command 'ifconfig -a' if you
are on a *nix. Look for any of your network interfaces bearing the PROMISC
flag. The L0pht has put out a very good piece of ware called AntiSniff.
So far, it is still in beta and runs on Win9* but was made with NT in mind.
The L0pht is planning to release an open source command-line version for
Linux. But if you want a Linux program now that will do the same type of
searching, check out neped.c. Sentinel
is another good contender by trying to detect all publicly known methods
to hide a promisc sniffer on a network. These tools are designed to remotely
detect sniffers on other hosts within the same subnet. While not foolproof,
they are excellent tools and often quite reliable. For the prevention of
unauthorized sniffing, you should use strong cryptography, (you should
be using strong crypto no matter what!), so even if someone does sniff
you, you are not at much risk from this form of attack. When you originally
designed your LAN, you should of had security in mind anyway. I am not
going to go into secure LAN and segmentation design because it is another
text all together however these are a couple of methods to help you out.
You should search the net and various security sites (as well as using
you brain) to help better the security of your network.

IX. Making Sniffers Hard to Detect

There is a method to help make it more difficult to detect a sniffer
on a network. For this to work, you have to deploy two NICs in on computer.
For
the first
NIC, configure the interface with the address of 0.0.0.0. This will allow
the sniffer to monitor traffic but to not be detected. But there is still
the issue of messages and alerts which will be handed off from the card
the sniffer is on to another card to finish being delivered. The second
card has a regular address but is not in promiscuous mode so it will be
very hard for someone to detect this type of setup.

X. How to Beat Sniffers

I am not going to get into this because Horizon
put out an awesome article
in Phrack issue 54 (file 10) so go and study it. His paper outlines many
methods and tricks for beating sniffers.

XI. OS FingerprintingPassive sniffing has recently been utilized in a unique way that it
allows the fingerprinting of a OS (Operating System) on a given host. How
this is accomplished is that each OS (and their respective distributions
and versions) have various idiosyncrasies in their implementation of a
TCP stack (see rfc798). Armed with
this knowledge, someone can study the information in a packet header, record
the various fields and then label it the OS that the packet came from.
You now have a fingerprint of that OS.

What passive sniffing does is it looks at whatever packets it captures
off of the network and tries to match up the packet header information
with a known OS fingerprint located in a database.

This is a surreptitious way to learn what OS is residing on what host.
The more conventional way to do fingerprinting is to actually send packets
to the target host(s) and see what you get back. This type of fingerprinting
is accomplished with the aid of such tools like nmap and queso.

Some of the tools that can do passive OS fingerprint are mention
above in section VII: passfing, siphon, sosd.

XII. War DrivingWar driving is new and extremely popular. War driving is a variation
of war dialing where instead of someone calling a list of numbers recording
anything interesting, you drive around with a laptop with a wireless NIC,
possibly with a high gain antenna for even greater range, looking for any
wireless networks that are available.

A lot of wireless networks to not enable native security mechanisms
on their AP (Note: An AP is a Access Point which is basically like a hub
or a switch for wireless networks that has a antena to provide coverage
for a specific area). The native security on APs is something called WEP
or Wired Equivalent Protocol. WEP is very, very broken. When war driving,
if you encounter a network that uses WEP, you can easily bypass the security
because when you put your wireless NIC in to a promiscuous mode,
you can capture vital information you need to crack WEP. Some things
you can grab are SSIDs and if you collect enough information, you
can actually crack the WEP encryption.

Since so many wireless networks are not properly secured (even if you
enable security, you are still not secure), you can use your wireless NIC
to capture any packets that are flying around. This yields all kinds of
things like account names and passwords, company info, information about
the network, email messages, as well as providing a means of possibly accessing
the internet with a high connection rate.

There are many sites on the net that are devoted to war driving. If
this type of thing interests you then I recommend that you search google
for things like WEP, war driving, etc.

XIII. CarnivoreCarnivore is the code name for the FBI's sniffer. It was later renamed
to DCS100 in an attempt to obscure its image and to calm the public's fear
of its misuse. Its purpose is to monitor a suspects email correspondence.

When a Carnivore is installed, federal agents go to the suspect's ISP
with a "black box", which is just a dedicated server with all of the FBI's
preloaded Carnivore software running on a MS OS, it is placed right on
the ISP's trunk so it would be impossible for any data to not pass through
the box. It then reads the header information looking for any email coming
or going to the suspect.

The real controversy with Carnivore is how it handles network traffic:
It reads all packet headers until it finds one it likes. This rises questions
like what's stopping the FBI from intercepting traffic it has no authority
to do so. People would be more comfortable if the FBI's program could only
look at the targeted suspect's email rather than everyone's. Another
thing worth mentioning is that after 9/11, it was reported that the FBI
arrived at numerous ISP with Carnivore boxes wishing to install them.

Some sites that are useful for finding out more information on Carnivore
are:
Cryptome This is the best place
to go.
The FBI's
web site This has some more useful documents.
AntiOffline's
Circumventing Carnivore

XIV. Switch SniffingWhen I wrote the first incarnation of this document, I received quite
a few emails from admins and a few others asking if their switches are
susceptible to being sniffed. The answer is probably yes.

I should first start by explaining the difference between a hub and
a switch: A hub is a device that allows you to connect multiple hosts over
a shared medium. When a host sends out data, the data travels into the
hub and then the hub blindly forwards the data to all connected hosts.
The host that the data was meant for will recognize it's MAC address
in the packet headers and then accept it. A switch on the other hand will
receive data from a host and inspect the packet looking for a MAC address
for its destination. The switch will have a list that contains MAC address
with the corresponding ports on the switch the host is connected to. It
will then forward that packet to the specified port. If you don't quite
understand why this complicates the process of sniffing a switch, please
refer to section II.

I should also mention a little about collision domains. A collision
domain is the space provided on a switch or a hub for data transfer. A
hub has only one collision domain for which all traffic will traverse.
This is a messy method because it allows for sniffing and other things
like bandwidth hogging. A switch make use of better technology by setting
up with could be thought of as a pipe between a host that is trying to make
a connection and the host who is receiving the connection. That pipe is
a dedicated collision domain for that connection. Any data that is sent
will only travel through the pipe and will not be visible to anyone else.
The collision domain will also provide a definite amount of bandwidth for
the connection rather than a shared amount like on a hub.

The price of switches have dramatically fallen so there is no excuse
to not replace hubs with switches or to choose a hub over a switch when
you purchase networking equipment. Keep in mind that some of the more costly
switches are endowed with better technology and are resistant to being
sniffed.

There are methods of defeating switches but this is contingent upon
on how a switch operates. One of the more interesting way to accomplish
this feat is a method called MAC flooding. When you send too much MAC information,
some switches will get "confused" and will revert to a hub mode which will
make the switch act just like a hub: one shared collision domain and blind
forwarding of all packets to all connected hosts.

I am going to start a database on my website http://www.alaricsecurity.com
which will have a detailed list of switches and whether or not they are
capable. The success of this database will be placed on people (admins,
hackers, etc.) whom have access to a switch or switches, determine if it
can or cannot be sniffed, and are willing to contribute that information.
Please visit my site for further information.

Some resources that can help you out are some switches mentioned in
section VII like dsniff, ettercap, and parasite. There are also more detailed
accounts of switch sniffing available on the net. Google
is a good place to start (as always) as well as:
The Dsniff FAQWhy
Your Switched Network Isn't Secure

XV. Resources

Security tool depositories like http://packetstormecurity.org and http://www.wiretapped.net
are always a good starting place when you are in search of sniffers or
anything else security related. For interesting dumps of network traffic,
go to http://project.honeynet.org The Honey Project; the site has loads
of logs that show intrusion attempts and would be a great place for someone
to get aquatinted to reading logs and knowing what to look for.

XVI. In Closing

I hope that I have done a good enough educating some of you newbies
reading this as well as making a decent point-of-reference for the more
experienced that may stumble upon this.